Skip to main content
Skip table of contents

Annual Security Policy Review

Purpose

This policy defines RunWhen’s scope of annual security policy reviews.

User Credentials

  • Reconcile user credentials for Google Workspace here with active employees/contractors

  • Reconcile user credentials for Github here and here with active employees/contractors

Endpoint Security (macOS Fleet)

  • All Macs enrolled in MDM (Jamf/Kandji/Mosyle).

  • FileVault enabled and keys escrowed.

  • Firewall enabled.

  • Automatic OS updates enforced.

  • Auto-lock after ≤15 minutes inactivity (screenshot or MDM report).

  • USB storage devices blocked by policy.

  • Verify MDM compliance reports available for audit.

Data Protection

  • Data Retention & Deletion Policy reviewed and updated.

  • Verify scheduled deletion jobs (Google Workspace, GitHub, databases, logs).

  • Spot-check 1–2 customer offboarding cases for data deletion evidence.

  • Verify backups are encrypted and tested for restoration.

Cloud & SaaS Security

  • Review IAM permissions for all individuals and groups here

  • Review GCP audit logs here for any unexplained access

  • Verify MFA enabled for cloud admin accounts.

  • Review GitHub org-level security settings (branch protection, code scanning).

  • All production firewall rules here and change requests here should be reviewed for accuracy

  • Confirm monitoring/logging tools are enabled (GCP audit logs).

Policies & Procedures

  • Review all policy documents here, including:

    • Data Deletion Policy reviewed and approved.

    • Access Control Policy reviewed and approved.

    • Incident Response Plan tested with at least one tabletop exercise.

    • Business Continuity Plan reviewed, disaster recovery tested.

  • Security awareness training delivered to all employees.

Vendor & Third-Party Risk

  • Review list of active vendors with any API keys stored in vault

  • Ensure vendor contracts include data protection/security terms.

  • Reassess critical vendors (cloud providers, SaaS tools, contractors).

Audit Evidence

  • Collect and archive screenshots, compliance reports, and logs.

  • Store evidence in secure internal drive with date-stamps.

  • Document remediation for any failed checks.

Governance

This policy is jointly owned by the Head of Engineering and Head of Security/Compliance, and it is reviewed at least annually or whenever test practices evolve significantly.

For any questions or clarifications regarding this policy, please contact the Security or Engineering leadership team.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close